CHARTER OF THE RISK COMMITTEE OF THE BOARD OF DIRECTORS OF TRUIST FINANCIAL CORPORATION AND TRUIST BANK
Purpose
The Risk Committee (the “Committee”) is a joint committee appointed by the Boards of Directors (collectively and/or individually for the respective corporation, as the case may be, the “Board”) of Truist Financial Corporation and Truist Bank (collectively and/or individually herein, as the case may be, the “Corporation”) to assist the Board in its oversight of the Corporation’s risk management framework, including the significant policies, programs, and plans established by management to identify, measure, monitor, assess, manage, and report on risks arising from the Corporation’s exposures and business activities.
Discharging the duties of risk oversight requires, among other things, that the members of the Committee:
• understand, communicate and monitor the Corporation’s strategy, risk appetite, and risk profile, including emerging and ongoing risks; • stay abreast of regulatory requirements and industry standards related to risk management, and other topics relevant to their responsibilities; • provide input to management on strategy, risk appetite, and risk profile; • oversee the effectiveness of the Corporation’s enterprise risk management framework and governance of risk, and the adherence to the Corporation’s strategy and risk appetite; • engage in robust inquiry into drivers, indicators, and trends related to current and emerging risks, and material or persistent deficiencies in risk management or control practices; and • provide oversight and effective challenge of recommendations made by management that could cause the Corporation’s risk profile to exceed its risk appetite or jeopardize the safety and soundness of any of its bank subsidiaries, or are unduly influenced by business lines.
While the Committee oversees the Corporation’s risk management function, management is ultimately responsible for identifying, planning for, responding to, and escalating the Corporation’s material risks, including compliance risk, credit risk, liquidity risk, market risk, operational risk, technology risk, reputational risk, financial crimes (including Bank Secrecy Act and anti-money laundering (“BSA/AML”)), strategic risk, and environmental, social and governance (ESG) risk, including climate change risk.
Committee Membership
The Committee members and its Chair are appointed annually by the Board, on the recommendation of the Nominating and Governance Committee of the Corporation, and may be replaced by the Board. The Committee shall have at least three members. The Committee must include at least one member having experience in identifying, assessing and managing risk exposures of large complex financial firms. All members of the Committee will have an understanding of risk management principles and practices relevant to the Corporation. Committee members shall meet applicable legal and regulatory criteria.
1 The Chair must meet the independence requirements of the New York Stock Exchange (as applied to the members of the Board of Directors), the Corporation’s Corporate Governance Guidelines and any standards of independence as may be prescribed by any applicable listing standards, laws and regulations relating to the Committee’s duties and responsibilities. The Committee may delegate to its Chair such power and authority as the Committee deems to be appropriate, except such powers and authorities required by law or regulation to be exercised by the whole Committee or by a subcommittee of at least three members.
Meetings
The Committee shall meet at least quarterly, or more frequently as needed. The agendas for the meetings shall be set under the direction of the Chair of the Committee. The Committee Chair may request that certain officers or employees of the Corporation, other directors, the Corporation’s outside counsel, independent auditor or other advisors, as the Committee deems appropriate, be present at meetings of the Committee. The Committee shall meet in executive session without members of management in attendance as often as deemed appropriate, but at minimum annually. The Committee also may meet separately in executive session with each of the independent auditor, the Chief Risk Officer and independent risk management as it deems appropriate for carrying out its responsibilities. In addition, independent members of the Committee may meet in executive session without members of management and non-independent directors in attendance as often as deemed appropriate. The Chair of the Committee shall have the sole authority to call the Committee into executive session, provided that any member of the Committee may request that the Chair call an executive session, subject to the Chair’s discretion.
Committee Duties and Responsibilities
1. The Committee shall approve the Corporation’s enterprise risk management framework, periodically review and evaluate the adequacy and effectiveness of such framework and shall approve any and all significant changes, additions or deletions to the Corporation’s enterprise risk management framework.
2. The Committee shall annually approve a statement or statements defining the Corporation’s risk appetite, monitor the Corporation’s risk profile at least quarterly and provide input to management regarding the Corporation’s risk appetite and risk profile.
3. The Committee shall oversee management’s implementation and management of, and adherence to, the Corporation’s significant risk management policies, procedures, limits and tolerances.
4. The Committee shall provide oversight of the Corporation’s progress on ESG risk management initiatives and activities.
5. The Committee shall receive periodic reports on, and reviews of, the Corporation’s enterprise risk management framework and risk management programs and their results from members of management across all three lines of defense, including, but not limited to, the Chief Risk Officer to ensure the Board has comprehensive visibility into all of the Corporation’s material risks. The subject of such periodic reports shall include, but not be limited to:
a. Capital planning and management, to include CCAR Reporting;
b. Liquidity management and contingency funding planning;
2
c. Credit Risk;
d. Compliance and Regulatory Risk;
e. Operational Risk;
f. Technology Risk;
g. Asset/Liability management and market functions; and
h. Other risks material to the oversight of the Corporation’s enterprise risk management framework, including, but not limited to issues management, credit risk review, market risk, reputational risk, BSA/AML risk, model risk, strategic risk, and ESG risk, including climate change risk.
6. The Credit Risk Review Manager shall report directly to the Committee, and administratively to the Chief Risk Officer or the Chief Risk Officer’s designee. The Committee shall annually review the Credit Risk Review Manager’s performance. 7. The Committee shall review and approve, unless reviewed and approved by the Board as a whole, the Corporation’s Comprehensive Capital Analysis and Review and stress test submissions, and resolution plans.
8. The Committee shall discuss with management, including the Chief Risk Officer, the Corporation’s major risk exposures and review the steps management has taken to identify, monitor and control such exposures.
9. The Committee shall provide effective oversight of the independence, authority and adequacy of the risk management function and ensure that the senior-level risk management officers, including the Chief Risk Officer, have sufficient stature, authority and seniority, and resources, including budget, staffing, and systems of internal controls, to carry out such officers’ responsibilities.
10. The Committee may coordinate and share information with, or receive information from, or meet with the Audit Committee and the Compensation and Human Capital Committee concerning the incentive compensation practices of the Corporation and the impact of any risk outcomes on such practices.
11. On at least a semi-annual basis, the Committee shall coordinate and share information with, and receive information from, or meet with the Audit Committee and the Technology Committee concerning technology operations risks in support of the Risk Committee’s overall responsibility and oversight of the Corporation’s enterprise risk management framework.
12. As necessary or advisable, or as may be required to carry out statutory, regulatory or other responsibilities, the Committee shall coordinate and share information with, or receive information from, or meet with Board committees concerning risk management matters within such other committees’ respective areas of oversight and responsibility.
3 13. The Committee, or a designated subcommittee of the Committee composed of members of the Board, shall approve, at least annually, the contingency funding plan that sets out the Corporation’s strategies for addressing liquidity needs during liquidity stress events, and shall approve any material revisions to the plan prior to implementation of such revisions.
14. The Committee shall provide oversight to management to ensure a robust and effective risk culture as an integral component of the Corporation’s enterprise risk management framework.
15. The Committee shall receive reports, as necessary and appropriate, from Executive Management regarding merger, acquisition, divestiture and portfolio purchase transactions in accordance with the Corporation’s Mergers and Acquisitions Policy.
16. The Chair of the Committee shall report periodically to the Board on the Committee’s activities and recommendations. The Committee shall document and maintain records of its proceedings, including risk management decisions and approvals.
17. The Committee shall annually review and assess the adequacy of its Charter and recommend to the Board any changes to this Charter. The Committee shall on an ongoing basis, but at least annually, review its own performance, assessing its strengths and opportunities and the skills and resources required to meet its obligations under this Charter, and shall recommend to the Board such enhancements as the Committee deems prudent.
18. The Committee shall carry out such other duties as may be delegated to it by the Board from time to time.
Chief Risk Officer
The Chief Risk Officer shall report directly to the Committee and administratively to the Chief Executive Officer. The Committee shall approve the appointment and removal of the Chief Risk Officer, annually review the Chief Risk Officer’s performance, communicate with the Compensation and Human Capital Committee, as appropriate, the results of its performance review, and annually approve the Compensation and Human Capital Committee’s determination with respect to the compensation of the Chief Risk Officer. The Committee shall, in consultation with the Compensation and Human Capital Committee, ensure that the compensation of the Chief Risk Officer is consistent with the safety and soundness of the Corporation and does not encourage excessive risk taking.
Committee Powers; Authority and Delegation of Authority
1. The Committee shall have direct access to, and complete and open communication with, the Corporation’s management, including the Chief Risk Officer, and may obtain advice and assistance from internal legal, risk or other advisors.
2. The Committee shall have the authority, to the extent it deems necessary or appropriate, to retain independent risk management, legal, accounting or other advisors and shall have sole authority to approve the advisors’ fees and other retention terms, including the authority to limit the amount of fees an advisor may earn from other services provided to the Corporation. The Corporation shall provide appropriate funding, as determined by the Committee, to allow the Committee to perform its functions, including for the fees and expenses of outside advisors to the Committee.
4 3. The Committee may delegate authority to either subcommittees comprised of three or more members of the Committee or other Committees of the Board of Directors with one or more shared members. Each such delegation shall confer the full power and authority of the Committee as to matters delegated to it. In this regard, the Committee has delegated to the Technology Committee its oversight of technology risk mitigation strategies and initiatives, subject to the reporting and expectations set forth herein and in the Charter of the Technology Committee. The Committee maintains comprehensive oversight of technology risk to ensure the Corporation’s overall risk profile aligns with its established risk appetite.
Reviewed and approved April 27, 2021
5